Allow connlimit by destination

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -4981,13 +4981,15 @@ sub do_connlimit( $ ) {
 
     require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's';
 
+    my $destination = $limit =~ s/^d:// ? '--connlimit-daddr ' : '';
+
     my $invert =  $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below'
 
     if ( $limit =~ /^(\d+):(\d+)$/ ) {
 	fatal_error "Invalid Mask ($2)" unless $2 > 0 || $2 < 31;
-	"-m connlimit ${invert}--connlimit-above $1 --connlimit-mask $2 ";
+	"-m connlimit ${invert}--connlimit-above $1 --connlimit-mask $2 $destination";
     } elsif ( $limit =~ /^(\d+)$/ )  {
-	"-m connlimit ${invert}--connlimit-above $limit ";
+	"-m connlimit ${invert}--connlimit-above $limit $destination";
     } else {
 	fatal_error "Invalid connlimit ($limit)";
     }

Shorewall/manpages/shorewall-rules.xml

@@ -1522,21 +1522,27 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">CONNLIMIT</emphasis> - [<emphasis
+        <term><emphasis role="bold">CONNLIMIT</emphasis> - [d:][<emphasis
         role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
 
         <listitem>
           <para>May be used to limit the number of simultaneous connections
-          from each individual host to <replaceable>limit</replaceable>
+          to/from each individual host or network to
-          connections. Requires connlimit match in your kernel and iptables.
+          <replaceable>limit</replaceable> connections. Requires connlimit
-          While the limit is only checked on rules specifying CONNLIMIT, the
+          match in your kernel and iptables. While the limit is only checked
-          number of current connections is calculated over all current
+          on rules specifying CONNLIMIT, the number of current connections is
-          connections from the SOURCE host. By default, the limit is applied
+          calculated over all current connections from the SOURCE or
-          to each host but can be made to apply to networks of hosts by
+          DESTINATION host. By default, limiting is done by SOURCE host or
-          specifying a <replaceable>mask</replaceable>. The
+          net, but if the specification begins with <emphasis
-          <replaceable>mask</replaceable> specifies the width of a VLSM mask
+          role="bold">d:</emphasis>, then limiting will be donw by destination
-          to be applied to the source address; the number of current
+          host or net.</para>
-          connections is then taken over all hosts in the subnet
+
+          <para>By default, the limit is applied to each host but can be made
+          to apply to networks of hosts by specifying a
+          <replaceable>mask</replaceable>. The <replaceable>mask</replaceable>
+          specifies the width of a VLSM mask to be applied to the source
+          address; the number of current connections is then taken over all
+          hosts in the subnet
           <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
           When<option> !</option> is specified, the rule matches when the
           number of connection exceeds the

Shorewall6/manpages/shorewall6-rules.xml

@@ -1385,21 +1385,27 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">CONNLIMIT</emphasis> - [<emphasis
+        <term><emphasis role="bold">CONNLIMIT</emphasis> - [d:][<emphasis
         role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
 
         <listitem>
           <para>May be used to limit the number of simultaneous connections
-          from each individual host to <replaceable>limit</replaceable>
+          to/from each individual host or network to
-          connections. Requires connlimit match in your kernel and ip6tables.
+          <replaceable>limit</replaceable> connections. Requires connlimit
-          While the limit is only checked on rules specifying CONNLIMIT, the
+          match in your kernel and iptables. While the limit is only checked
-          number of current connections is calculated over all current
+          on rules specifying CONNLIMIT, the number of current connections is
-          connections from the SOURCE host. By default, the limit is applied
+          calculated over all current connections from the SOURCE or
-          to each host but can be made to apply to networks of hosts by
+          DESTINATION host. By default, limiting is done by SOURCE host or
-          specifying a <replaceable>mask</replaceable>. The
+          net, but if the specification begins with <emphasis
-          <replaceable>mask</replaceable> specifies the width of a VLSM mask
+          role="bold">d:</emphasis>, then limiting will be donw by destination
-          to be applied to the source address; the number of current
+          host or net.</para>
-          connections is then taken over all hosts in the subnet
+
+          <para>By default, the limit is applied to each host but can be made
+          to apply to networks of hosts by specifying a
+          <replaceable>mask</replaceable>. The <replaceable>mask</replaceable>
+          specifies the width of a VLSM mask to be applied to the source
+          address; the number of current connections is then taken over all
+          hosts in the subnet
           <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
           When<option> !</option> is specified, the rule matches when the
           number of connection exceeds the